This definition is part of our Essential Guide: Secure Web gateways, from evaluation to sealed deal
Contributor(s): Mike Cobb

Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.

Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message may install malware on the user’s device or direct them to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details. Phishing is a homophone of fishing, which involves using lures to catch fish.

Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate email than trying to break through a computer’s defenses. Although some phishing emails are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers to identify the most effective types of messages --  the phishing "hooks" that get the highest "open" or click through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around the year's major events, holidays and anniversaries, or take advantage of breaking news stories, both true and fictitious.

To make phishing messages look like they are genuinely from a well-known company, they include logos and other identifying information taken directly from that company’s website. The malicious links within the body of the message are designed to make it appear that they go to the spoofed organization. The use of subdomains and misspelled URLs (typosquatting) are common tricks, as is homograph spoofing -- URLs created using different logical characters to read exactly like a trusted domain. Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript.

Spear phishing attacks are directed at specific individuals or companies, while incidents that specifically target senior executives within an organization are termed whaling attacks. Those preparing a spear phishing campaign research their victims in detail in order to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful. Phishers use social networking and other sources of information to gather background information about the victim’s personal history, their interests and activities. Names, job titles and email addresses of colleagues and key company employees are verified, as are vacations. This information is then used to craft a believable email. Targeted attacks and advanced persistent threats (APTs) typically start with a spear phishing email containing a malicious link or attachment.

A gateway email filter can trap a lot of mass targeted phishing emails, reducing the number of phishing emails that reach users’ inboxes. Ensure your own mail servers make use of one of the main authentication standards; Sender ID or DomainKeys will help cut out spoofed email too. A Web security gateway can also provide another layer of defense by preventing users from reaching the target of a malicious link. They work by checking requested URLs against a constantly updated database of sites suspected of distributing malware.

There are plenty of resources on the Internet that provide help in combating phishing. The Anti-Phishing Working Group Inc. and the federal government’s  website both provide advice on how to spot, avoid and report phishing attacks. Interactive training aids such as Wombat Security Technologies' Anti-Phishing Training Suite or PhishMe can help teach employees how to avoid phishing traps, while sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the Internet.

This was last updated in October 2015

Continue Reading About phishing



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Criminal activity of sending emails or having a website that is intended to trick someone into giving away information targeted advertising or the ‘pushing’ of people towards products and services
What do you think is the best defense against phishing attacks?
I am looking at a product for my company that is a flash drive that is a secure server and is loaded with the websites that are needed to be secure for me. Banks, Shopping sites, stores, etc, any place I might be showing some of my financial info in buying or trading or just looking at my accounts. They send you a flash drive with all of your sites on it and it has been swept for phishing and guaranteed secure. I can then go to those sites worry free that my information is going to be stolen. Does anyone know anything about this technology or systems?
I thought you spelled it like fishing not phishing.
Either way it is bad.
If I set up a program to get peoples passwords from an E-mail I send but don't act as a business or act like someone else but still log into their email is that considered phishing?
it is considered phishing unless you ask them for permission to use their account and they grant it.
phishing-it can to access the document of other user by trying to repeat password for several time ?
Knowledge is power! Be vigilant and should someone target you, make a report with the FTC (Federal Trade Commision. Do not just "blow it off".


File Extensions and File Formats

Powered by: